Redemption Arc: ZeroAccess Botnet Architect Resurfaces as a Microsoft-Certified Developer
The story of one of the most notorious cyberthreats of the past decade has taken an unexpected turn. The developer behind the ZeroAccess botnet—which once infected millions of devices across the globe—has resurfaced years after his exposure, not as a malware author, but as a creator of legitimate system-level debugging and analysis tools. In 2025, he even published his own Windows kernel debugger, named YDbg, on GitHub — a modernized successor to a previously unknown utility project called Z-Dbg.
Emerging around 2009, ZeroAccess became one of the most expansive and technically complex peer-to-peer botnets of its era. Its foundation was a kernel-level rootkit, designed to ensure stealth and persistence within compromised systems. Initially deployed for click fraud, the network later evolved to mine Bitcoin. Though the rootkit module was eventually abandoned, the underlying infrastructure concept persisted. Over time, it became clear that its creator possessed profound knowledge of Windows internals and the ability to bypass its security mechanisms. That same individual, as later discovered, transitioned into legitimate work—developing system utilities and debugging tools, and offering freelance services on professional platforms.
In 2016, members of the kernelmode.info forum attempted to uncover the identity of the ZeroAccess developer. Their investigation led to several benign Windows applications authored by the same person, including TV streaming software containing metadata with contact details that ultimately revealed a real individual: a 40-year-old man from Odesa, Ukraine, named Maksim Samuistov, known under the Skype handle maksimsamuistov. This information was passed to CERT-UA, which confirmed his existence. However, local law enforcement at the time declined to take action. Following the publication of this data on the forum and on X (formerly Twitter), the developer deleted his freelance profiles and temporarily vanished from the web.
By 2017, new online profiles began to emerge under the aliases rbmm and alex short, linked to active accounts on GitHub, Stack Overflow, and OSR Online, all of which remain in use. In 2019, he once again appeared on Upwork, offering services under the name Alex S., listing Lviv as his location. Additional profiles later surfaced on X, LinkedIn (since deleted), YouTube, and a personal blog. His X profile mentions participation in projects such as Protectimus and StartMenuX, indicating a continued shift toward legitimate software development.
Among his modern creations, the most notable is the Windows kernel debugger—originally known as Z-Dbg, and reintroduced in 2025 as YDbg, now available on GitHub. Earlier posts suggest that he shared prototypes with other developers, possibly explaining the appearance of older builds on VirusTotal. Based on its architecture and features, Z-Dbg was designed for low-level diagnostics and kernel symbol analysis, offering advanced tools for driver and module inspection. A video demonstration of the debugger’s capabilities remains available on his YouTube channel.
Of particular interest are the digital signatures found in his executables. One installer from 2018 included components such as a 64-bit library named tkn.dll, signed with a self-issued certificate (ID 45cae3b9), requiring test-signing mode in Windows for loading. Meanwhile, a 32-bit build from 2015 revealed something more intriguing: most files bore the signature “max black”—an alias associated with his early work—but tkn.dll carried a valid certificate from Vertamedia, LLC.
Vertamedia (now Adtelligent) is an advertising monetization firm, raising an obvious question: how did the creator of ZeroAccess obtain access to its certificate? Theories range from theft to direct involvement in the company’s projects or collaboration with its employees. Coincidence seems unlikely—the overlap between a botnet built for click-fraud and an ad-tech firm’s certificate is simply too conspicuous.
Comparing various builds reveals the evolution of his tools and the transformation of his practices. In recent YDbg releases on GitHub, all binaries are signed with valid certificates belonging to dennisbabkin.com, LLC. These include modules such as DbgNew.exe, MemDump.exe, NtRegView.exe, and SearchEx.exe, compiled between 2021 and 2025. Notably, the core driver tkn.dll now bears a signature from the Microsoft Windows Hardware Compatibility Publisher (WHCP), confirming its official certification for Windows and allowing it to load without test mode.
Taken together, this evidence suggests that the former creator of ZeroAccess has not only abandoned illicit activity but successfully legitimized his development work, earning the trust of digital certificate authorities. Unlike the rootkits and backdoors of the past, his modern tools meet contemporary security standards and are suitable for use by system programmers and driver developers.
Tellingly, since the last known mention of him in 2016, no malware samples have been discovered containing his distinctive code or structural patterns. It is highly likely that he has withdrawn entirely from the underground scene, focusing instead on legitimate software. According to available reports, in 2018 U.S. authorities made attempts to pursue him, though no arrest ever followed.
Thus, the fate of the ZeroAccess developer stands as a rare example of transformation—from the architect of one of the early 2010s’ most infamous botnets to a certified creator of professional system tools. His journey mirrors the broader evolution of the cybersecurity field: in an era where offensive security, APT simulation, and vulnerability research have become lawful alternatives to cybercrime, those who once built rootkits now craft debuggers and drivers signed by Microsoft.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
